Blog

Samba is the result of some clever reverse-engineering to create reliable Windows file sharing without the headaches of a Windows server. Mac OS X clients can also use these shares, making Samba a great option for cross-platform environments. It’s not a common scenario to use an Open Directory server to control Linux systems, but here’s how to do it if you have one already, and want to use Samba on Linux with your OD users.  If you are finding the Xserve platform to be a little out of your budget for the amount of performance you get, or you don’t want to administrate yet another Mac OS X Server system, this could be a great alternative to an AFP solution for your Macs.

We could host SMB shares directly on our OD server, but ideally we keep our OD server just as a directory and authentication server, and let other servers do the file sharing heavy lifting.

We’ll be using a Mac OS X Server 10.5 OD master to authenticate a Red Hat Enterprise Linux 5 system with the distro Samba package, but this should work on any of the Samba distributions out there.  We’ll make a simple share point for some OD users to access their files in a collaborative way.

First, we’ll configure the Open Directory server.  In Server Admin, make sure you have activated SMB as a service under “Services” in the general section of your OD server’s entry.

Assuming this is an OD master, click on the new SMB entry on the left panel, and change the server’s role from Standalone Server to Primary Domain Controller (PDC).

Enter a description, computer name, and domain for your new PDC.

Unless you need Windows95 support (shudder), it is a good idea to un-check “LAN Manager” authentication under “Access” as this is generally considered insecure these days.

Samba requires a few ports open on your host firewall to be browseable and accessible.  Under Firewall on the left panel of Server Admin, you’ll need to make sure the following are open for “full-service” Samba:

• Microsoft Domain Server (445 TCP)
• WINS – Windows Internet Naming Service (137 UDP)
• NETBIOS datagram – Windows browsing (138 UDP)
• SMB/CIFS – Windows file service (139 TCP)

Be sure any firewalls upstream are also allowing this traffic to this specific host.  Be conservative on what networks get access, as there have been numerous security issues initiated with breaches on these services.  Some services, such as WINS, may not be necessary for your specific installation.

Now to the Linux server…

On Red Hat systems and many others, the core configuration for Samba is in /etc/samba/smb.conf.  Open this file in your favorite editor.

Under “Network Related Options” enter:

workgroup = MYCOMPANYGROUP

Under “Domain Members Options” enter:

security = domain
encrypt passwords = yes
password server = ODSERVER1

Under “Share Definitions” enter:

[mynewshare]
comment = My test share
path = /myshare
writable = yes
browseable = yes
valid_users = @od_group1

Next, we need to join the Samba server to the PDC.  You’ll need your directory administrator password for this:

net join –S odserver1 -U diradmin

Restart your Samba service to bring in the new config.  On Red Hat:

service smb restart

To make permissions function cleanly, we’ll want to make our linux server aware of our OD server users.  To do this in Red Hat, you can edit the PAM entries directly, or use one of the available utilities.  We’ll use authconfig-tui here.  Be very careful to restrict access when doing this if you allow authentication from your OD server (via sshd_config, pam, etc) as this will potentially allow anyone in your OD domain to log in to the linux server.  This is most likely not your intended configuration.

Under “User Information”, select “Use LDAP”.  If you want users to log in via other means, under “Authentication”, select “Use Kerberos”.

Choose “Next”.

Select “Use TLS” (highly recommended, but you need to install the CA cert for your OD server locally on the linux server).

For “Server” enter the url to your ldap server:  ldap://odserver1.mycompany.com/

“Base DN” should be the DN assigned by your Mac OS X Server at install:  dc=odserver1,dc=mycompany,dc=com

For “Kerberos Settings”:

Realm: ODSERVER1.MYCOMPANY.COM

KDC: odserver1.mycompany.com:88

Admin Server: odserver1.mycompany.com:749

Finally, we need to make sure the share point /myshare exists and has the right permissions.  If you want everyone in the OD group to be able to be able to edit and share files in the directory, set the sgid bit on the /myshare directory and change ownership to the group od_group1:

chown nobody:od_group1 /myshare
chmod 2770 /myshare

If you don’t want users deleting each others’ files, you can also set the suid or “sticky” bit:

chmod o+t /myshare

If you are running SELinux in Enforcing mode, you will need to change security contexts on the /myshare directory:

chcon –t samba_share_t /myshare

The last step is to ensure the linux server host firewall is allowing smb access, as we did with the OD server above.

—

About Iris Professional Services
Iris Professional Services is a computer consulting company operating offices in both Seattle and Portland. Businesses throughout the Pacific Northwest rely on our expert IT consultants for all their network IT support services.